Twitter Bags Encryption Program

While Twitter is concerned with the privacy of its users and protecting them from run-of-the-mill phishing attacks and such, it's unlikely anything it was going to do would protect its users' direct messages from the likes of the NSA, noted Tal Klein, vice president of marketing for Adallom. Moreover, that kind of encryption would very likely crank up the customer complaints.

While Twitter rose to notoriety by being the place where people spilled the minutiae of their lives, there are times when its users don't want everyone in the online world to see what they're thinking. For those occasions, there's direct messaging.

When direct messages are sent by one tweeter to another, there's a certain expectation of privacy there -- even though little is done to protect those messages should they be snatched by a snoop.

Twitter was planning to change that. It launched a program last November to find a way to encrypt direct messages sent within its microblogging realm. Last week, though, news surfaced that the company had pulled the plug on the project.

Twitter has been mum on the subject -- it did not respond to our request for comment on this story -- but others have not been so reticent.

"This signals that Twitter is clearly not interested in being a secure private messaging service and is focusing on public communications," JJ Thompson, managing director and CEO of
Rook Security, told TechNewsWorld.

"It is absolutely a set back for Twitter users who are relying on secure private communications," he added.

Waste of Effort

While Twitter is concerned with the privacy of its users and protecting them from run-of-the-mill phishing attacks and such, it's unlikely anything it was going to do would protect its users' direct messages from the likes of the NSA, noted Tal Klein, vice president of marketing for
Adallom.

Moreover, that kind of encryption would very likely crank up the customer complaints.

"I'm guessing that's why the project got shelved," he added, "because if I asked you today if you'd accept a slower Twitter in exchange for more privacy, you'd say, 'No.'"

While users may expect direct messages to be private, few are naive enough to consider them secure.

"There is no assurance of privacy or security in transmission or delivery of direct messages," said Simon Crosby, CTO and cofounder of
Bromium.

"Adding serious security controls to DMs would be a massive amount of work, and it's not clear that users view Twitter as a platform they would trust for secure communications anyway, so it would probably be a wasted effort," he told TechNewsWorld.

Privacy Commitment Undiminished

Suspension of the direct messaging encryption program may disappoint some users, but it doesn't mean Twitter's commitment to privacy and security is diminishing, maintained Michael Sutton, vice president of security research at
Zscaler.

"While adding direct message encryption would be a positive step forward for the privacy of Twitter users, that feature alone is not a silver bullet, and temporarily curtailing the effort is not a blanket statement on Twitter's commitment to security," Sutton told TechNewsWorld.

"Twitter is actually one of the more progressive social networking sites, having moved to allow users to force encrypted communication for all traffic back in 2011. It has also shown a commitment to security by obtaining top talent and technology, as they demonstrated with their 2012 acquisition of Dasient," he explained.

"It has also shown a strong commitment to user privacy [and has] been at the forefront of efforts to allow greater transparency related to government requests for information disclosures, and [it] regularly fights court orders to hand over data," Sutton observed.

Ukraine Is No Estonia

Pentagon brass have hinted about the U.S. arsenal of weapons that could be used in a cyberwar, but the only world power that's actually used such arms in a real international conflict has been Russia. It mounted some crippling Distributed Denial of Service attacks against Estonia in 2007, and there's evidence it's trying to infect networks in the Ukraine with the Uroburos rootkit.

"It is not surprising to see state-sponsored malware like Uroburos appearing on networks in Ukraine in the midst of the Crimean crisis," said Tom Cross, director of security research at
Lancope. "Malware activity is an integral part of international conflict today."

Although malware typically assumes the role of spy -- snatching intelligence located on computers and shipping it to its masters -- it can be used to throw a spanner in a nation's infrastructure, as the U.S. demonstrated with the Stuxnet attack on Iran's nuclear development program.

"I'm not aware of any reports of Uroburos being used to disable critical infrastructure, but if a violent conflict breaks out in Ukraine it would not be surprising to see cyberattacks used in that capacity," Cross noted.

The malware tactic appears to have supplanted DDoS as a cyberwar strategy used by the Russians.

"Although Lancope does see some Internet DDoS attack activity occurring in Ukraine right now, it is nothing out of the ordinary," Cross said. "We are not seeing the massive levels of DDoS attack activity that we saw in Estonia in 2007. However, if the conflict escalates nothing is out of the question."

Breach Diary

March 18. The IRS discloses that one of its employees took home a thumb drive containing unencrypted data on some 20,000 of the agency's workers. The data -- including Social Security numbers, names and addresses of employees and contract workers -- could potentially be compromised because the drive was plugged into the employee's unsecured home network.

March 21. Cisco reports risk of Internet users encountering malware increased 10 percent from January to February this year. Java malware encounters also increased during the period from four percent in January to nine percent in February.

March 21. Bitcoin exchange Gox reveals it discovered 200,000 ($115.8 million) in "forgotten" bitcoins on March 7, a week after it filed for bankruptcy saying it lost almost all its holdings of the 850,000 bitcoins, worth about $500 million at today's prices.

Upcoming Security Events

March 25. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.

April 8. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.

April 29. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.

May 20. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.

June 3. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.

June 24. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.